CVE-2015-6938

Name: CVE-2015-6938
Creator: NVD / NIST
Published: 2015-09-21T19:59:05.353+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

UnknownEPSS 2.77%

Last modified Jun 17, 2026

CVE-2015-6938 is a vulnerability of currently unknown severity. Cross-site scripting (XSS) vulnerability in the file browser in notebook/notebookapp.py in IPython Notebook before 3.2.2 and Jupyter Notebook 4.0.x before 4.0.5 allows remote attackers to inject arbitrary web script or HTML via a folder name. NOTE: this was originally reported as a cross-site request forgery (CSRF) vulnerability, but this may be inaccurate.. EPSS estimates a 2.77% chance of exploitation in the next 30 days.

Description

Cross-site scripting (XSS) vulnerability in the file browser in notebook/notebookapp.py in IPython Notebook before 3.2.2 and Jupyter Notebook 4.0.x before 4.0.5 allows remote attackers to inject arbitrary web script or HTML via a folder name. NOTE: this was originally reported as a cross-site request forgery (CSRF) vulnerability, but this may be inaccurate.

Metrics

EPSS Probability

2.77%

84.4th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-79

Affected Software

Vendor	Product	Versions
Jupyter	Notebook	4.0.0
Jupyter	Notebook	4.0.1
Jupyter	Notebook	4.0.2
Jupyter	Notebook	4.0.3
Jupyter	Notebook	4.0.4
Fedoraproject	Fedora	21
Fedoraproject	Fedora	22
Fedoraproject	Fedora	23
Opensuse	Opensuse	13.1
Opensuse	Opensuse	13.2
Ipython	Notebook	<= 3.2.1

References

http://lists.fedoraproject.org/pipermail/package-announce/2015-September/166460.htmlThird Party Advisory
http://lists.fedoraproject.org/pipermail/package-announce/2015-September/166471.htmlThird Party Advisory
http://lists.fedoraproject.org/pipermail/package-announce/2015-September/167670.htmlThird Party Advisory
http://lists.opensuse.org/opensuse-updates/2015-10/msg00016.htmlThird Party Advisory
http://seclists.org/oss-sec/2015/q3/474
http://seclists.org/oss-sec/2015/q3/544Mailing List, Patch
https://bugzilla.redhat.com/show_bug.cgi?id=1259405Issue Tracking
https://github.com/ipython/ipython/commit/3ab41641cf6fce3860c73d5cf4645aa12e1e5892Exploit
https://github.com/jupyter/notebook/commit/35f32dd2da804d108a3a3585b69ec3295b2677edExploit
https://github.com/jupyter/notebook/commit/dd9876381f0ef09873d8c5f6f2063269172331e3Issue Tracking, Patch
http://lists.fedoraproject.org/pipermail/package-announce/2015-September/166460.htmlThird Party Advisory
http://lists.fedoraproject.org/pipermail/package-announce/2015-September/166471.htmlThird Party Advisory
http://lists.fedoraproject.org/pipermail/package-announce/2015-September/167670.htmlThird Party Advisory
http://lists.opensuse.org/opensuse-updates/2015-10/msg00016.htmlThird Party Advisory
http://seclists.org/oss-sec/2015/q3/474
http://seclists.org/oss-sec/2015/q3/544Mailing List, Patch
https://bugzilla.redhat.com/show_bug.cgi?id=1259405Issue Tracking
https://github.com/ipython/ipython/commit/3ab41641cf6fce3860c73d5cf4645aa12e1e5892Exploit
https://github.com/jupyter/notebook/commit/35f32dd2da804d108a3a3585b69ec3295b2677edExploit
https://github.com/jupyter/notebook/commit/dd9876381f0ef09873d8c5f6f2063269172331e3Issue Tracking, Patch

Timeline

Published: Sep 21, 2015
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2015-6938?

How severe is CVE-2015-6938?

Severity scoring for CVE-2015-6938 is pending analysis. The EPSS model estimates a 2.77% probability of exploitation in the next 30 days.

How do I fix CVE-2015-6938?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2015-6938?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST